US8745394B1 - Methods and systems for secure electronic communication - Google Patents
Methods and systems for secure electronic communication Download PDFInfo
- Publication number
- US8745394B1 US8745394B1 US13/973,173 US201313973173A US8745394B1 US 8745394 B1 US8745394 B1 US 8745394B1 US 201313973173 A US201313973173 A US 201313973173A US 8745394 B1 US8745394 B1 US 8745394B1
- Authority
- US
- United States
- Prior art keywords
- client application
- public
- private key
- user
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
Definitions
- the present invention relates generally to the field of electronic communication, and more particularly to methods and systems for secure electronic communication, such as secure electronic communication between a user's mobile device and a backend server.
- a client application for example, on a mobile device processor, sends a communication to a processor of a backend server
- the client application may sign the communication with its Public Key Infrastructure (PKI) private encryption key.
- PKI Public Key Infrastructure
- the communication may then travel from the client application to the processor of the backend server encrypted with the private key of the client application.
- the purpose of the private key which may be presumed to be known only to the client application, is to enable the backend server to confirm that the communication actually came from the client application and not from an unauthorized party.
- the private key of the client application may be vulnerable to compromise, for example, where it is stored on the client device, as well as in the transmission to the backend server.
- SSL Secure Sockets Layer
- Embodiments of the invention employ computer hardware and software, including, without limitation, one or more processors coupled to memory and non-transitory, computer-readable storage media with one or more executable computer application programs stored thereon which instruct the processors to perform the methods and systems for secure electronic communication described herein.
- Such methods and systems may involve, for example, receiving, using a server processor coupled to memory, a request message from a user's communication device processor consisting at least in part of a session key encrypted with a public key of a public/private key pair without sending a private key of the public/private key pair to, or storing the private key on, the user's communication device; decrypting, using the server processor, the request message with a private key of the public/private key pair and retrieving the decrypted session key from the decrypted request message; generating, using the server processor, a response message and encrypting the response message with the retrieved session key; and sending, using the server processor, the session key-encrypted response message to the user's communication device processor.
- receiving the request message may involve, for example, receiving the request message from the user's communication device processor consisting at least in part of the session key and user authentication credentials encrypted with the public key of the public/private key pair.
- receiving the request message may involve, for example receiving the request message from the user's communication device processor consisting at least in part of the session key and a user password encrypted with the public key of the public/private key pair.
- receiving the request message may involve, for example, receiving the request message consisting at least in part of the session key appended with the user password and encrypted with the public key of the public/private key pair.
- receiving the request message consisting at least in part of the session key encrypted with the public key may involve, for example, receiving the request message consisting at least in part of the session key generated by a client application on the user's communication device processor and encrypted with the public key of the public/private key pair.
- receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of the session key generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair of the server.
- receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of the session key generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair of the client application.
- receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair of the client application may involve, for example, generating and storing a public/private key pair of the client application by the server processor without sending the client application private key of the generated public/private key pair to the user's communication device.
- receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of a session-specific random number generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key.
- receiving the request message consisting at least in part of the session-specific random number generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of a 128-bit session-specific random number generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair.
- receiving the request message may involve, for example, receiving the request message from the user's communication device processor consisting at least in part of a session key and a login request encrypted with the public key of a public/private key pair.
- decrypting the request message with the private key may involve, for example, decrypting the request message with the private key of the public/private key pair of the server.
- decrypting the request message with the private key of the public/private key pair of the server may involve, for example, generating a client application public/private key pair and storing the a client application public/private key pair without sending a client application private key to, or storing the client application private key on, the user's communication device.
- storing the a user's public/private key pair may involve, for example, storing the client application public/private key pair on a hardware security module without sending the client application private key of the public/private key pair to, or storing the client application private key on, the user's communication device.
- decrypting the request message with the private key of public/private key pair may involve, for example, decrypting the request message with the private key of a public/private key pair of a client application on the user's communication device processor.
- retrieving the decrypted session key from the decrypted request message may involve, for example, retrieving the decrypted session key that was generated by a client application on the user's communication device processor and encrypted with the public key of the public/private key pair.
- generating and encrypting the response message may involve, for example, generating a log-in response message and encrypting the log-in response message with the retrieved session key.
- sending the session key-encrypted response message may involve, for example, sending the session key-encrypted response message to a client application on the processor of the user's communication device encrypted with the session key generated and stored by the client application in volatile memory on the user's communication device.
- FIG. 1 is a schematic diagram that illustrates an overview example of key components and the flow of information between key components for embodiments of the invention
- FIG. 2 is a flow diagram that illustrates an example of securely communicating and storing the user's password on the backend server for embodiments of the invention
- FIG. 3 is flow diagram that illustrates an example of a process of secure communication between a client application processor and a backend server processor for embodiments of the invention.
- FIG. 4 is a flow chart that illustrates an overview example of secure electronic communication for embodiments of the invention.
- Embodiments of the invention utilize one or more special purpose computer software application program processes, each of which is tangibly embodied in a physical storage device executable on one or more physical computer hardware machines, and each of which is executing on one or more of the physical computer hardware machines (each, a “computer program software application process”).
- Physical computer hardware machines employed in embodiments of the invention comprise, for example, input/output devices, motherboards, processors, logic circuits, memory, data storage, hard drives, network connections, monitors, and power supplies.
- Such physical computer hardware machines include, for example, user machines and server machines that may be coupled to one another via a network, such as a local area network, a wide area network, or a global network through telecommunications channels which may include wired or wireless devices and systems.
- Embodiments of the invention provide methods and systems for secure electronic communication that protect communications originating, for example, from mobile applications running on users' communication devices, such as users' mobile devices, that are sent to processors of backend servers and provide confidentiality, non-repudiation and integrity checks for such communications without storing a private key locally in the mobile applications on the mobile devices.
- FIG. 1 is a schematic diagram that illustrates an overview example of key components and the flow of information between key components for embodiments of the invention.
- key components for embodiments of the invention may include, without limitation, a user's communication device processor 100 coupled over a network 102 to a server processor 104 .
- the user's communication device processor 100 may include, without limitation, the processor of any type of wired or wireless communication device that enables communication electronically.
- the network 102 may include, without limitation, any type of wired or wireless network.
- the server processor 104 may include, without limitation, the processor of any type of computing device that interfaces with the user's communication device processor 100 .
- the hardware security module 106 coupled to the server processor 104 may include, without limitation, a physical computing device for securely storing digital keys for strong authentication.
- a communication between the client application on the user's communication device processor 100 and the processor of a backend server 104 is not, for example, automatically initiated by the client application using the stored private key of the client application, as is done in the current process.
- the user may first enter a user name and password on the client application, which may be referred to as an integrity check.
- the client application may generate a random number that is session-specific. In other words, a new random number may be generated every time there is a new session between the client application on the user's communication device processor 100 and the server processor 104 .
- the client application-generated random number may be encrypted with a public key, such as the public key of the client application on the user's communication device 100 , and sent, along with the communication from the client application, to the backend server processor 104 .
- the backend server 104 may decrypt the communication and confirm that the communication was received from the client application on the user's communication device 100 .
- the private key of the client application need not be stored on the client device or transmitted with the communication from the client application to the backend server 104 as would have been done in a standard PKI process. Therefore, an unauthorized party who attempts to steal the private key of the client application, for example, by breaching the client device 100 or by intercepting the encrypted communication is unsuccessful. Further, a possible breach of security caused by key compromise in local secure storage, such as a secure element of a mobile device, is thereby minimized or eliminated.
- Embodiments of the invention may involve, for example, packaging a mobile application with a public key of an entity, such as a financial institution or other business entity. Thereafter, the mobile application may be downloaded to a user's mobile device processor 100 , for example, from an app store or from a private hosting site or an entity website or from any other suitable source.
- a unique private/public key pair for each mobile user may be generated in advance and stored by the entity's backend server 104 .
- a hash value of the mobile application binaries may likewise be generated in advance and similarly stored by the backend server 104 .
- the unique private key for each mobile user may be securely stored in the backend system 104 in advance.
- the mobile application 100 may be capable of generating a hash value of its binaries at the mobile application 100 at run time. The corresponding hash value of the mobile application 100 may also stored in the backend system 104 .
- the user's mobile application 100 may have the unique public key for the particular user in advance.
- FIG. 2 is a flow diagram that illustrates an example of securely communicating and storing the user's password on the backend server 104 for embodiments of the invention.
- the user may create a user password after registration, and the mobile client application 100 may generate a secure 128-bit random number as a session key. Thereafter, the client application 100 may append the user's password to the random number, encrypt the string with a public key, such as the entity's public key, and send the encrypted string to the processor of the backend server 104 .
- a public key such as the entity's public key
- the processor of the backend server 104 may decrypt the encrypted string with the entity's private key, create a private/public key pair unique to the user, and store the user's unique key pair in the hardware security module (HSM) 106 .
- HSM hardware security module
- the processor of the backend server 104 may generate a secure 128-bit random number, append the user's public key, encrypt the string with the session key, and send the encrypted string to the user's mobile application 100 .
- the user's mobile application 100 may decrypt the encrypted string with the session key and store the user's public key, for example, in a keystore on the mobile device.
- the user may enter his or her user name and password on the client application 100 .
- the mobile application 100 may generate a new session key, such as a new session-specific 128-bit random number, append the user's password to the random number, encrypt the string with the user's public key, and send the encrypted string to the processor of the backend server 104 .
- FIG. 3 is flow diagram that illustrates an example of a process of secure communication between a client application 100 and a backend server processor 104 for embodiments of the invention.
- a user may perform a function, such as a login, with the user's mobile application 100 , such as a mobile wallet, that requires communication with a backend server 104 .
- the present example is a user login, it is to be understood that the process may be the same or similar for any other secure interaction between a mobile application 100 on the user's mobile device and a backend server 104 .
- the user's mobile application 100 may generate and temporarily store a random number, such as a 128-bit random number, in volatile memory of the user's mobile device.
- the 128-bit random number may be used as a session key for the succeeding communication between the user's mobile application and the backend system 104 .
- the mobile application 100 may create a login request for the backend system 104 by combining the session key plus a request payload plus an application hash, encrypt the combination with the user's public key, and send the encrypted request to the backend system 104 .
- the processor of the backend server 104 may decrypt the encrypted request with the user's previously stored private key.
- the processor of the backend server 104 may retrieve the session key from the decrypted request and perform the requested operation.
- the requested operation may involve authentication of the user's credentials.
- the decrypted login request may include, for example, a user's login ID or user name and the user's password.
- the processor of the backend server 104 may perform the login operation. Thereafter, the processor of the backend server 104 may generate and encrypt a response using the session key retrieved from the decrypted request and send the encrypted response to the user's mobile application 100 .
- the user's mobile application 100 may retrieve the session key previously stored in the user's mobile device memory and decrypt the encrypted response with the retrieved session key.
- the mobile application 100 may encrypt a request with the user's public key and send the encrypted request to the processor of the backend server 104 .
- the logic may be similar to the logic employed, for example, at 301 through 303 as shown in FIG. 3 , in which a request is encrypted by the mobile application 100 using the user's public key, and the encrypted request is sent by the mobile application 100 to the processor of the backend server 104 .
- FIG. 4 is a flow chart that illustrates an overview example of secure electronic communication for embodiments of the invention.
- a request message may be received from a user's communication device processor 100 consisting at least in part of a session key encrypted with a public key of a public/private key pair without sending a private key of the public/private key pair to, or storing the private key on, the user's communication device 100 .
- the request message may be decrypted with a private key of the public/private key pair and the decrypted session key may be retrieved from the decrypted request message.
- a response message may be generated and encrypted with the retrieved session key, and at 404 , the session key-encrypted response message may be sent to the user's communication device processor 100 similarly using the server processor 104 .
- embodiments of the invention may be implemented as processes of a computer program product, each process of which is operable on one or more processors either alone on a single physical platform, such as a personal computer, or across a plurality of platforms, such as a system or network, including networks such as the Internet, an intranet, a Wide Area Network (WAN), a Local Area Network (LAN), a cellular network, or any other suitable network.
- WAN Wide Area Network
- LAN Local Area Network
- cellular network or any other suitable network.
- Embodiments of the invention may employ client devices that may each comprise a computer-readable medium, including but not limited to, Random Access Memory (RAM) coupled to a processor.
- the processor may execute computer-executable program instructions stored in memory.
- processors may include, but are not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), and or state machines.
- ASIC Application Specific Integrated Circuit
- Such processors may comprise, or may be in communication with, media, such as computer-readable media, which stores instructions that, when executed by the processor, cause the processor to perform one or more of the steps described herein.
- Such computer-readable media may include, but are not limited to, electronic, optical, magnetic, RFID, or other storage or transmission device capable of providing a processor with computer-readable instructions.
- suitable media include, but are not limited to, CD-ROM, DVD, magnetic disk, memory chip, ROM, RAM, ASIC, a configured processor, optical media, magnetic media, or any other suitable medium from which a computer processor can read instructions.
- Embodiments of the invention may employ other forms of such computer-readable media to transmit or carry instructions to a computer, including a router, private or public network, or other transmission device or channel, both wired or wireless.
- Such instructions may comprise code from any suitable computer programming language including, without limitation, C, C++, C#, Visual Basic, Java, Python, Perl, and JavaScript.
- client devices may also comprise a number of external or internal devices, such as a mouse, a CD-ROM, DVD, keyboard, display, or other input or output devices.
- client devices may be any suitable type of processor-based platform that is connected to a network and that interacts with one or more application programs and may operate on any suitable operating system.
- Server devices may also be coupled to the network and, similarly to client devices, such server devices may comprise a processor coupled to a computer-readable medium, such as a RAM.
- server devices which may be a single computer system, may also be implemented as a network of computer processors. Examples of such server devices are servers, mainframe computers, networked computers, a processor-based device, and similar types of systems and devices.
Abstract
Methods and systems for secure electronic communication involve, for example, using a processor coupled to memory to receive a request message from a user's communication device processor including a session key encrypted with a public key of a public/private key pair without sending a private key of the public/private key pair to, or storing the private key on, the user's communication device. Using the processor, the request message is decrypted with a private key of the public/private key pair and the session key is retrieved from the decrypted request message. Thereafter, also using the processor, a response message is generated and encrypted with the retrieved session key and sent to the user's communication device processor.
Description
The present invention relates generally to the field of electronic communication, and more particularly to methods and systems for secure electronic communication, such as secure electronic communication between a user's mobile device and a backend server.
Typically, when a client application, for example, on a mobile device processor, sends a communication to a processor of a backend server, the client application may sign the communication with its Public Key Infrastructure (PKI) private encryption key. The communication may then travel from the client application to the processor of the backend server encrypted with the private key of the client application. The purpose of the private key, which may be presumed to be known only to the client application, is to enable the backend server to confirm that the communication actually came from the client application and not from an unauthorized party. Currently, the private key of the client application may be vulnerable to compromise, for example, where it is stored on the client device, as well as in the transmission to the backend server.
The commonly-used Secure Sockets Layer (SSL) security protocol is not sufficiently secure for securing authentication credentials, such as a user's password and/or a device fingerprint, between a mobile client application and a backend serve, because of the possibility of compromise. There is presently no known solution that can provide payload encryption, non-repudiation and an integrity check for messages exchanged between mobile applications and backend systems without storing private keys in the mobile application on a device, such as a mobile phone, which makes the private key vulnerable to compromise.
There is a current need for methods and systems for secure electronic communication that secure all sensitive information including authentication credentials, such as user passwords and device fingerprints, by assuring that all communications between a mobile device application and a processor of a backend server are payload encrypted.
Embodiments of the invention employ computer hardware and software, including, without limitation, one or more processors coupled to memory and non-transitory, computer-readable storage media with one or more executable computer application programs stored thereon which instruct the processors to perform the methods and systems for secure electronic communication described herein. Such methods and systems that may involve, for example, receiving, using a server processor coupled to memory, a request message from a user's communication device processor consisting at least in part of a session key encrypted with a public key of a public/private key pair without sending a private key of the public/private key pair to, or storing the private key on, the user's communication device; decrypting, using the server processor, the request message with a private key of the public/private key pair and retrieving the decrypted session key from the decrypted request message; generating, using the server processor, a response message and encrypting the response message with the retrieved session key; and sending, using the server processor, the session key-encrypted response message to the user's communication device processor.
In aspects of embodiments of the invention, receiving the request message may involve, for example, receiving the request message from the user's communication device processor consisting at least in part of the session key and user authentication credentials encrypted with the public key of the public/private key pair. In other aspects, receiving the request message may involve, for example receiving the request message from the user's communication device processor consisting at least in part of the session key and a user password encrypted with the public key of the public/private key pair. In further aspects, receiving the request message may involve, for example, receiving the request message consisting at least in part of the session key appended with the user password and encrypted with the public key of the public/private key pair.
In further aspects of embodiments of the invention, receiving the request message consisting at least in part of the session key encrypted with the public key may involve, for example, receiving the request message consisting at least in part of the session key generated by a client application on the user's communication device processor and encrypted with the public key of the public/private key pair. In still further aspects, receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of the session key generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair of the server.
In other aspects of embodiments of the invention, receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of the session key generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair of the client application. In additional aspects, receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair of the client application may involve, for example, generating and storing a public/private key pair of the client application by the server processor without sending the client application private key of the generated public/private key pair to the user's communication device.
In additional aspects of embodiments of the invention, receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of a session-specific random number generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key. In further aspects, receiving the request message consisting at least in part of the session-specific random number generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair may involve, for example, receiving the request message consisting at least in part of a 128-bit session-specific random number generated by the client application on the user's communication device processor and encrypted with the public key of the public/private key pair. In other aspects receiving the request message, may involve, for example, receiving the request message from the user's communication device processor consisting at least in part of a session key and a login request encrypted with the public key of a public/private key pair.
In other aspects of embodiments of the invention, decrypting the request message with the private key may involve, for example, decrypting the request message with the private key of the public/private key pair of the server. In additional aspects, decrypting the request message with the private key of the public/private key pair of the server may involve, for example, generating a client application public/private key pair and storing the a client application public/private key pair without sending a client application private key to, or storing the client application private key on, the user's communication device. In further aspects, storing the a user's public/private key pair may involve, for example, storing the client application public/private key pair on a hardware security module without sending the client application private key of the public/private key pair to, or storing the client application private key on, the user's communication device.
In still other aspects of embodiments of the invention, decrypting the request message with the private key of public/private key pair may involve, for example, decrypting the request message with the private key of a public/private key pair of a client application on the user's communication device processor. In still further aspects, retrieving the decrypted session key from the decrypted request message may involve, for example, retrieving the decrypted session key that was generated by a client application on the user's communication device processor and encrypted with the public key of the public/private key pair. In further aspects, generating and encrypting the response message may involve, for example, generating a log-in response message and encrypting the log-in response message with the retrieved session key. In additional aspects, sending the session key-encrypted response message may involve, for example, sending the session key-encrypted response message to a client application on the processor of the user's communication device encrypted with the session key generated and stored by the client application in volatile memory on the user's communication device.
These and other aspects of the invention will be set forth in part in the description which follows and in part will become more apparent to those skilled in the art upon examination of the following or may be learned from practice of the invention. It is intended that all such aspects are to be included within this description, are to be within the scope of the present invention, and are to be protected by the accompanying claims.
Reference will now be made in detail to embodiments of the invention, one or more examples of which are illustrated in the accompanying drawings. Each example is provided by way of explanation of the invention, not as a limitation of the invention. It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the scope or spirit of the invention. For example, features illustrated or described as part of one embodiment can be used in another embodiment to yield a still further embodiment. Thus, it is intended that the present invention cover such modifications and variations that come within the scope of the invention.
Embodiments of the invention utilize one or more special purpose computer software application program processes, each of which is tangibly embodied in a physical storage device executable on one or more physical computer hardware machines, and each of which is executing on one or more of the physical computer hardware machines (each, a “computer program software application process”). Physical computer hardware machines employed in embodiments of the invention comprise, for example, input/output devices, motherboards, processors, logic circuits, memory, data storage, hard drives, network connections, monitors, and power supplies. Such physical computer hardware machines include, for example, user machines and server machines that may be coupled to one another via a network, such as a local area network, a wide area network, or a global network through telecommunications channels which may include wired or wireless devices and systems.
Embodiments of the invention provide methods and systems for secure electronic communication that protect communications originating, for example, from mobile applications running on users' communication devices, such as users' mobile devices, that are sent to processors of backend servers and provide confidentiality, non-repudiation and integrity checks for such communications without storing a private key locally in the mobile applications on the mobile devices.
Referring further to FIG. 1 , the network 102 may include, without limitation, any type of wired or wireless network. The server processor 104 may include, without limitation, the processor of any type of computing device that interfaces with the user's communication device processor 100. The hardware security module 106 coupled to the server processor 104 may include, without limitation, a physical computing device for securely storing digital keys for strong authentication.
In embodiments of the invention, a communication between the client application on the user's communication device processor 100 and the processor of a backend server 104 is not, for example, automatically initiated by the client application using the stored private key of the client application, as is done in the current process. Instead, the user may first enter a user name and password on the client application, which may be referred to as an integrity check. When the user name and password are verified by the client application, the client application may generate a random number that is session-specific. In other words, a new random number may be generated every time there is a new session between the client application on the user's communication device processor 100 and the server processor 104.
In embodiments of the invention, the client application-generated random number may be encrypted with a public key, such as the public key of the client application on the user's communication device 100, and sent, along with the communication from the client application, to the backend server processor 104. Using the private key of the client application, which was previously stored by the backend server 104, the backend server 104 may decrypt the communication and confirm that the communication was received from the client application on the user's communication device 100.
Thus, in embodiments of the invention, the private key of the client application need not be stored on the client device or transmitted with the communication from the client application to the backend server 104 as would have been done in a standard PKI process. Therefore, an unauthorized party who attempts to steal the private key of the client application, for example, by breaching the client device 100 or by intercepting the encrypted communication is unsuccessful. Further, a possible breach of security caused by key compromise in local secure storage, such as a secure element of a mobile device, is thereby minimized or eliminated.
Embodiments of the invention may involve, for example, packaging a mobile application with a public key of an entity, such as a financial institution or other business entity. Thereafter, the mobile application may be downloaded to a user's mobile device processor 100, for example, from an app store or from a private hosting site or an entity website or from any other suitable source. In addition, a unique private/public key pair for each mobile user may be generated in advance and stored by the entity's backend server 104. Likewise, a hash value of the mobile application binaries may likewise be generated in advance and similarly stored by the backend server 104.
In embodiments of the invention, the unique private key for each mobile user, together with the hash of the user's mobile application and the user's personal identification number (PIN) and password may be securely stored in the backend system 104 in advance. Further, the mobile application 100 may be capable of generating a hash value of its binaries at the mobile application 100 at run time. The corresponding hash value of the mobile application 100 may also stored in the backend system 104. In addition, the user's mobile application 100 may have the unique public key for the particular user in advance.
Referring further to FIG. 2 , at 202, upon receiving the encrypted string from the mobile application 100, the processor of the backend server 104 may decrypt the encrypted string with the entity's private key, create a private/public key pair unique to the user, and store the user's unique key pair in the hardware security module (HSM) 106. At 203, the processor of the backend server 104 may generate a secure 128-bit random number, append the user's public key, encrypt the string with the session key, and send the encrypted string to the user's mobile application 100.
At 204, upon receiving the encrypted string, the user's mobile application 100 may decrypt the encrypted string with the session key and store the user's public key, for example, in a keystore on the mobile device. At 205, on a succeeding occasion, the user may enter his or her user name and password on the client application 100. Upon verifying the user name and password, the mobile application 100 may generate a new session key, such as a new session-specific 128-bit random number, append the user's password to the random number, encrypt the string with the user's public key, and send the encrypted string to the processor of the backend server 104.
Referring again to FIG. 3 , also at 301, the user's mobile application 100 may generate and temporarily store a random number, such as a 128-bit random number, in volatile memory of the user's mobile device. The 128-bit random number may be used as a session key for the succeeding communication between the user's mobile application and the backend system 104. In addition, at 301, the mobile application 100 may create a login request for the backend system 104 by combining the session key plus a request payload plus an application hash, encrypt the combination with the user's public key, and send the encrypted request to the backend system 104.
Referring further to FIG. 3 , at 302, upon receiving the encrypted request from the mobile application 100, the processor of the backend server 104 may decrypt the encrypted request with the user's previously stored private key. In addition, the processor of the backend server 104 may retrieve the session key from the decrypted request and perform the requested operation. In the login example, the requested operation may involve authentication of the user's credentials. Thus, the decrypted login request may include, for example, a user's login ID or user name and the user's password.
Referring again to FIG. 3 , also at 302, after checking and confirming that the user name and password matches the user name and user password previously stored for the user by the backend server 104, the processor of the backend server 104 may perform the login operation. Thereafter, the processor of the backend server 104 may generate and encrypt a response using the session key retrieved from the decrypted request and send the encrypted response to the user's mobile application 100.
Referring once more to FIG. 3 , at 303, upon receiving the encrypted response from the backend server 104, the user's mobile application 100 may retrieve the session key previously stored in the user's mobile device memory and decrypt the encrypted response with the retrieved session key. At 304, for a further communication from the client application to the processor of the backend server 104 within the same active session, the mobile application 100 may encrypt a request with the user's public key and send the encrypted request to the processor of the backend server 104.
Thereafter, for all ongoing communication between mobile application 100 and the processor of the backend server 104 in the same active session, the logic may be similar to the logic employed, for example, at 301 through 303 as shown in FIG. 3 , in which a request is encrypted by the mobile application 100 using the user's public key, and the encrypted request is sent by the mobile application 100 to the processor of the backend server 104.
Referring further to FIG. 4 , at 402, also using the server processor 104, the request message may be decrypted with a private key of the public/private key pair and the decrypted session key may be retrieved from the decrypted request message. At 403, likewise using the server processor 104, a response message may be generated and encrypted with the retrieved session key, and at 404, the session key-encrypted response message may be sent to the user's communication device processor 100 similarly using the server processor 104.
It is to be understood that embodiments of the invention may be implemented as processes of a computer program product, each process of which is operable on one or more processors either alone on a single physical platform, such as a personal computer, or across a plurality of platforms, such as a system or network, including networks such as the Internet, an intranet, a Wide Area Network (WAN), a Local Area Network (LAN), a cellular network, or any other suitable network.
Embodiments of the invention may employ client devices that may each comprise a computer-readable medium, including but not limited to, Random Access Memory (RAM) coupled to a processor. The processor may execute computer-executable program instructions stored in memory. Such processors may include, but are not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), and or state machines. Such processors may comprise, or may be in communication with, media, such as computer-readable media, which stores instructions that, when executed by the processor, cause the processor to perform one or more of the steps described herein.
It is also to be understood that such computer-readable media may include, but are not limited to, electronic, optical, magnetic, RFID, or other storage or transmission device capable of providing a processor with computer-readable instructions. Other examples of suitable media include, but are not limited to, CD-ROM, DVD, magnetic disk, memory chip, ROM, RAM, ASIC, a configured processor, optical media, magnetic media, or any other suitable medium from which a computer processor can read instructions.
Embodiments of the invention may employ other forms of such computer-readable media to transmit or carry instructions to a computer, including a router, private or public network, or other transmission device or channel, both wired or wireless. Such instructions may comprise code from any suitable computer programming language including, without limitation, C, C++, C#, Visual Basic, Java, Python, Perl, and JavaScript.
It is to be further understood that client devices that may be employed by embodiments of the invention may also comprise a number of external or internal devices, such as a mouse, a CD-ROM, DVD, keyboard, display, or other input or output devices. In general such client devices may be any suitable type of processor-based platform that is connected to a network and that interacts with one or more application programs and may operate on any suitable operating system.
Server devices may also be coupled to the network and, similarly to client devices, such server devices may comprise a processor coupled to a computer-readable medium, such as a RAM. Such server devices, which may be a single computer system, may also be implemented as a network of computer processors. Examples of such server devices are servers, mainframe computers, networked computers, a processor-based device, and similar types of systems and devices.
Claims (13)
1. A method for secure electronic communication between a client application processor and a server processor, comprising:
generating, using a server processor coupled to memory, a client application public/private key pair and storing the client application public/private key pair on a physical hardware security module without sending a client application private key to, or storing the client application private key on, a user's communication device;
receiving, using the server processor, a request message from a user's communication device processor consisting at least in part of a session key encrypted with the client application public key of the public/private key pair;
retrieving, using the server processor, the client application private key of the public/private key pair stored on the physical hardware security module;
decrypting, using the server processor, the request message with the client application private key of the public/private key pair and retrieving the decrypted session key from the decrypted request message;
generating, using the server processor, a response message and encrypting the response message with the retrieved session key; and
sending, using the server processor, the session key-encrypted response message to the user's communication device processor.
2. The method of claim 1 , wherein receiving the request message further comprises receiving the request message from the user's communication device processor consisting at least in part of the session key and user authentication credentials encrypted with the client application public key of the public/private key pair.
3. The method of claim 1 , wherein receiving the request message further comprises receiving the request message from the user's communication device processor consisting at least in part of the session key and a user password encrypted with the client application public key of the public/private key pair.
4. The method of claim 3 , wherein receiving the request message further comprises receiving the request message consisting at least in part of the session key appended with the user password and encrypted with the client application public key of the public/private key pair.
5. The method of claim 1 , wherein receiving the request message consisting at least in part of the session key encrypted with the client application public key further comprises receiving the request message consisting at least in part of the session key generated by a client application on the user's communication device processor and encrypted with the client application public key of the public/private key pair.
6. The method of claim 1 , wherein receiving the request message consisting at least in part of the session key generated by the client application and encrypted with the client application public key of the public/private key pair further comprises receiving the request message consisting at least in part of a session-specific random number generated by the client application on the user's communication device processor and encrypted with the client application public key of the public/private key.
7. The method of claim 6 , wherein receiving the request message consisting at least in part of the session-specific random number generated by the client application on the user's communication device processor and encrypted with the client application public key of the public/private key pair further comprises receiving the request message consisting at least in part of a 128-bit session-specific random number generated by the client application on the user's communication device processor and encrypted with the client application public key of the public/private key pair.
8. The method of claim 1 , wherein receiving the request message further comprises receiving the request message from the user's communication device processor consisting at least in part of a session key and a login request encrypted with the client application public key of the public/private key pair.
9. The method of claim 1 , wherein retrieving the decrypted session key from the decrypted request message further comprises retrieving the decrypted session key that was generated by a client application on the user's communication device processor and encrypted with the client application public key of the public/private key pair.
10. The method of claim 1 , wherein generating and encrypting the response message further comprise generating a log-in response message and encrypting the log-in response message with the retrieved session key.
11. The method of claim 1 , wherein sending the session key-encrypted response message further comprises sending the session key-encrypted response message to a client application on the processor of the user's communication device encrypted with the session key generated and stored by the client application in volatile memory on the user's communication device.
12. A machine for secure electronic communication, comprising:
a server processor coupled to memory, the server processor being programmed for:
generating a client application public/private key pair and storing the client application public/private key pair on a physical hardware security module without sending a client application private key to, or storing the client application private key on, a user's communication device;
receiving a request message from a user's communication device processor consisting at least in part of a session key encrypted with the client application public key of the public/private key pair;
retrieving, using the server processor, the client application private key of the public/private key pair stored on the physical hardware security module;
decrypting the request message with the client application private key of the public/private key pair and retrieving the decrypted session key from the decrypted request message;
generating a response message and encrypting the response message with the retrieved session key; and
sending the session key-encrypted response message to the processor of the user's communication device.
13. A non-transitory computer-readable storage medium with an executable program stored thereon, wherein the program instructs a server processor to perform the following steps:
generate a client application public/private key pair and storing the client application public/private key pair on a physical hardware security module without sending a client application private key to, or storing the client application private key on, a user's communication device;
receive a request message from a user's communication device processor consisting at least in part of a session key encrypted with the client application public key of the public/private key pair;
retrieve the client application private key of the public/private key pair stored on the physical hardware security module;
decrypt the request message with the client application private key of the public/private key pair and retrieve the decrypted session key from the decrypted request message;
generate a response message and encrypt the response message with the retrieved session key; and
send the session key-encrypted response message to the processor of the user's communication device.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/973,173 US8745394B1 (en) | 2013-08-22 | 2013-08-22 | Methods and systems for secure electronic communication |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/973,173 US8745394B1 (en) | 2013-08-22 | 2013-08-22 | Methods and systems for secure electronic communication |
Publications (1)
Publication Number | Publication Date |
---|---|
US8745394B1 true US8745394B1 (en) | 2014-06-03 |
Family
ID=50781414
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/973,173 Active US8745394B1 (en) | 2013-08-22 | 2013-08-22 | Methods and systems for secure electronic communication |
Country Status (1)
Country | Link |
---|---|
US (1) | US8745394B1 (en) |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8904195B1 (en) * | 2013-08-21 | 2014-12-02 | Citibank, N.A. | Methods and systems for secure communications between client applications and secure elements in mobile devices |
US9270449B1 (en) * | 2014-01-17 | 2016-02-23 | Amazon Technologies, Inc. | Secured communication in network environments |
EP3032858A1 (en) * | 2014-12-12 | 2016-06-15 | GN Resound A/S | Apparatus for secure hearing device communication and related method |
EP3032857A1 (en) * | 2014-12-12 | 2016-06-15 | GN Resound A/S | Hearing device with communication protection and related method |
US9503437B2 (en) | 2014-12-12 | 2016-11-22 | Gn Resound A/S | Apparatus for secure hearing device communication and related method |
US20170034133A1 (en) * | 2015-07-28 | 2017-02-02 | International Business Machines Corporation | User authentication over networks |
US9608807B2 (en) | 2014-12-12 | 2017-03-28 | Gn Hearing A/S | Hearing device with communication protection and related method |
KR101798022B1 (en) | 2016-05-26 | 2017-11-16 | 충남대학교산학협력단 | Method and apparatus for executing programs using trusted platform module |
US9882900B2 (en) | 2014-06-26 | 2018-01-30 | Amazon Technologies, Inc. | Mutual authentication with symmetric secrets and signatures |
US10122692B2 (en) | 2015-06-16 | 2018-11-06 | Amazon Technologies, Inc. | Handshake offload |
US10122689B2 (en) | 2015-06-16 | 2018-11-06 | Amazon Technologies, Inc. | Load balancing with handshake offload |
US10826875B1 (en) * | 2016-07-22 | 2020-11-03 | Servicenow, Inc. | System and method for securely communicating requests |
EP3493464B1 (en) | 2015-07-02 | 2020-12-02 | GN Hearing A/S | Client device with certificate and related method |
US10990356B2 (en) * | 2019-02-18 | 2021-04-27 | Quantum Lock Technologies LLC | Tamper-resistant smart factory |
CN113518078A (en) * | 2021-06-01 | 2021-10-19 | 中国铁道科学研究院集团有限公司 | Cross-network data sharing method, information demander, information provider and system |
US11218472B2 (en) | 2019-07-01 | 2022-01-04 | Steve Rosenblatt | Methods and systems to facilitate establishing a connection between an access-seeking device and an access granting device |
CN115361222A (en) * | 2022-08-26 | 2022-11-18 | 杭州安司源科技有限公司 | Communication processing method, device and system |
US11757629B2 (en) * | 2019-07-23 | 2023-09-12 | Mastercard International Incorporated | Methods and computing devices for auto-submission of user authentication credential |
Citations (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080046731A1 (en) | 2006-08-11 | 2008-02-21 | Chung-Ping Wu | Content protection system |
US7443985B2 (en) | 2002-06-28 | 2008-10-28 | Microsoft Corporation | Systems and methods for providing secure server key operations |
US20090106551A1 (en) * | 2006-04-25 | 2009-04-23 | Stephen Laurence Boren | Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks |
US20090103726A1 (en) | 2007-10-18 | 2009-04-23 | Nabeel Ahmed | Dual-mode variable key length cryptography system |
WO2009133544A1 (en) | 2008-05-02 | 2009-11-05 | Markport Limited | A messaging device and server system |
US20100131756A1 (en) | 2008-11-26 | 2010-05-27 | James Paul Schneider | Username based authentication and key generation |
US20100197326A1 (en) | 2006-10-19 | 2010-08-05 | Duc Anh Ngo | interactive system and process |
US20100217979A1 (en) * | 2005-12-19 | 2010-08-26 | Karim Yaghmour | System and Method for Providing Certified Proof of Delivery Receipts for Electronic Mail |
US20120023336A1 (en) | 2009-12-10 | 2012-01-26 | Vijayarangan Natarajan | System and method for designing secure client-server communication protocols based on certificateless public key infrastructure |
US8135954B2 (en) | 2004-12-20 | 2012-03-13 | Motorola Mobility, Inc. | Distributed digital signature generation |
US20120079585A1 (en) * | 2006-04-14 | 2012-03-29 | Microsoft Corporation | Proxy authentication and indirect certificate chaining |
US20120101951A1 (en) | 2010-10-22 | 2012-04-26 | Michael Li | Method and System for Secure Financial Transactions Using Mobile Communications Devices |
US20120131661A1 (en) | 2010-11-22 | 2012-05-24 | Microsoft Corporation | Back-end constrained delegation model |
US20120155647A1 (en) | 2010-12-21 | 2012-06-21 | General Instrument Corporation | Cryptographic devices & methods |
US20120159150A1 (en) * | 2000-08-25 | 2012-06-21 | Research In Motion Limited | System and method for implementing an enhanced transport layer security protocol |
US20120170740A1 (en) | 2011-01-05 | 2012-07-05 | Electronics And Telecommunications Research Institute | Content protection apparatus and content encryption and decryption apparatus using white-box encryption table |
US8307208B2 (en) | 2008-06-04 | 2012-11-06 | Panasonic Corporation | Confidential communication method |
US20130007456A1 (en) | 2009-07-15 | 2013-01-03 | Research In Motion Limited | System and method for exchanging key generation parameters for secure communications |
US20130124866A1 (en) | 2011-11-15 | 2013-05-16 | Apple Inc. | Client-server system with security for untrusted server |
-
2013
- 2013-08-22 US US13/973,173 patent/US8745394B1/en active Active
Patent Citations (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120159150A1 (en) * | 2000-08-25 | 2012-06-21 | Research In Motion Limited | System and method for implementing an enhanced transport layer security protocol |
US7443985B2 (en) | 2002-06-28 | 2008-10-28 | Microsoft Corporation | Systems and methods for providing secure server key operations |
US8135954B2 (en) | 2004-12-20 | 2012-03-13 | Motorola Mobility, Inc. | Distributed digital signature generation |
US20100217979A1 (en) * | 2005-12-19 | 2010-08-26 | Karim Yaghmour | System and Method for Providing Certified Proof of Delivery Receipts for Electronic Mail |
US20120079585A1 (en) * | 2006-04-14 | 2012-03-29 | Microsoft Corporation | Proxy authentication and indirect certificate chaining |
US20090106551A1 (en) * | 2006-04-25 | 2009-04-23 | Stephen Laurence Boren | Dynamic distributed key system and method for identity management, authentication servers, data security and preventing man-in-the-middle attacks |
US20080046731A1 (en) | 2006-08-11 | 2008-02-21 | Chung-Ping Wu | Content protection system |
US20100197326A1 (en) | 2006-10-19 | 2010-08-05 | Duc Anh Ngo | interactive system and process |
US20090103726A1 (en) | 2007-10-18 | 2009-04-23 | Nabeel Ahmed | Dual-mode variable key length cryptography system |
WO2009133544A1 (en) | 2008-05-02 | 2009-11-05 | Markport Limited | A messaging device and server system |
US8307208B2 (en) | 2008-06-04 | 2012-11-06 | Panasonic Corporation | Confidential communication method |
US20100131756A1 (en) | 2008-11-26 | 2010-05-27 | James Paul Schneider | Username based authentication and key generation |
US20130007456A1 (en) | 2009-07-15 | 2013-01-03 | Research In Motion Limited | System and method for exchanging key generation parameters for secure communications |
US20120023336A1 (en) | 2009-12-10 | 2012-01-26 | Vijayarangan Natarajan | System and method for designing secure client-server communication protocols based on certificateless public key infrastructure |
US20120101951A1 (en) | 2010-10-22 | 2012-04-26 | Michael Li | Method and System for Secure Financial Transactions Using Mobile Communications Devices |
US20120131661A1 (en) | 2010-11-22 | 2012-05-24 | Microsoft Corporation | Back-end constrained delegation model |
US20120155647A1 (en) | 2010-12-21 | 2012-06-21 | General Instrument Corporation | Cryptographic devices & methods |
US20120170740A1 (en) | 2011-01-05 | 2012-07-05 | Electronics And Telecommunications Research Institute | Content protection apparatus and content encryption and decryption apparatus using white-box encryption table |
US20130124866A1 (en) | 2011-11-15 | 2013-05-16 | Apple Inc. | Client-server system with security for untrusted server |
Non-Patent Citations (3)
Title |
---|
Abusukhon, A. et al., "A Novel Network Security Algorithm Based on Private Key Encryption," Conference on Cyber Security Cyber Warfare and Digital Forensic (Cybersec), 2012 International, Jun. 26-28, 2012, pp. 33-37. |
IP.Com et al., "Auto-Generation of Encrypted Key at Both the Client Side and the Server Side," IP.Com Prior Art Database IPCOM000205360D, Mar. 28, 2011, pp. 1-3. |
Smith, et al, "Secure Mobile Communication Via Identity-Based Cryptography and Server-Aided Computations," Journal of Supercomputing, Aug. 31, 2009, pp. 1-20. |
Cited By (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8904195B1 (en) * | 2013-08-21 | 2014-12-02 | Citibank, N.A. | Methods and systems for secure communications between client applications and secure elements in mobile devices |
US9270449B1 (en) * | 2014-01-17 | 2016-02-23 | Amazon Technologies, Inc. | Secured communication in network environments |
US10574443B2 (en) | 2014-01-17 | 2020-02-25 | Amazon Technologies, Inc. | Secured communication in network environments |
US10375067B2 (en) | 2014-06-26 | 2019-08-06 | Amazon Technologies, Inc. | Mutual authentication with symmetric secrets and signatures |
US9882900B2 (en) | 2014-06-26 | 2018-01-30 | Amazon Technologies, Inc. | Mutual authentication with symmetric secrets and signatures |
EP3609210A1 (en) * | 2014-12-12 | 2020-02-12 | GN Hearing A/S | Hearing aid with communication protection and related method |
US10154059B2 (en) | 2014-12-12 | 2018-12-11 | Gn Hearing A/S | Hearing device with communication protection and related method |
US11284249B2 (en) | 2014-12-12 | 2022-03-22 | Gn Hearing A/S | Apparatus for secure hearing device communication and related method |
EP3716670A1 (en) * | 2014-12-12 | 2020-09-30 | GN Hearing A/S | Apparatus for secure hearing device communication and related method |
US9503437B2 (en) | 2014-12-12 | 2016-11-22 | Gn Resound A/S | Apparatus for secure hearing device communication and related method |
US10027474B2 (en) | 2014-12-12 | 2018-07-17 | Gn Hearing A/S | Hearing device with communication protection and related method |
US10045207B2 (en) | 2014-12-12 | 2018-08-07 | Gn Hearing A/S | Apparatus for secure hearing device communication and related method |
US10681082B2 (en) | 2014-12-12 | 2020-06-09 | Gn Hearing A/S | Hearing device with communication protection and related method |
US10595197B2 (en) | 2014-12-12 | 2020-03-17 | Gn Hearing A/S | Apparatus for secure hearing device communication and related method |
US9608807B2 (en) | 2014-12-12 | 2017-03-28 | Gn Hearing A/S | Hearing device with communication protection and related method |
EP3032858B1 (en) | 2014-12-12 | 2020-03-04 | GN Hearing A/S | Apparatus for secure hearing device communication and related method |
EP3032857A1 (en) * | 2014-12-12 | 2016-06-15 | GN Resound A/S | Hearing device with communication protection and related method |
EP3032857B1 (en) | 2014-12-12 | 2019-09-18 | GN Hearing A/S | Hearing device with communication protection and related method |
EP3032858A1 (en) * | 2014-12-12 | 2016-06-15 | GN Resound A/S | Apparatus for secure hearing device communication and related method |
US10122689B2 (en) | 2015-06-16 | 2018-11-06 | Amazon Technologies, Inc. | Load balancing with handshake offload |
US10122692B2 (en) | 2015-06-16 | 2018-11-06 | Amazon Technologies, Inc. | Handshake offload |
EP3493464B1 (en) | 2015-07-02 | 2020-12-02 | GN Hearing A/S | Client device with certificate and related method |
US10263962B2 (en) * | 2015-07-28 | 2019-04-16 | International Business Machines Corporation | User authentication over networks |
US20170034133A1 (en) * | 2015-07-28 | 2017-02-02 | International Business Machines Corporation | User authentication over networks |
US9674158B2 (en) * | 2015-07-28 | 2017-06-06 | International Business Machines Corporation | User authentication over networks |
KR101798022B1 (en) | 2016-05-26 | 2017-11-16 | 충남대학교산학협력단 | Method and apparatus for executing programs using trusted platform module |
US10826875B1 (en) * | 2016-07-22 | 2020-11-03 | Servicenow, Inc. | System and method for securely communicating requests |
US10990356B2 (en) * | 2019-02-18 | 2021-04-27 | Quantum Lock Technologies LLC | Tamper-resistant smart factory |
US11218472B2 (en) | 2019-07-01 | 2022-01-04 | Steve Rosenblatt | Methods and systems to facilitate establishing a connection between an access-seeking device and an access granting device |
US11757629B2 (en) * | 2019-07-23 | 2023-09-12 | Mastercard International Incorporated | Methods and computing devices for auto-submission of user authentication credential |
CN113518078A (en) * | 2021-06-01 | 2021-10-19 | 中国铁道科学研究院集团有限公司 | Cross-network data sharing method, information demander, information provider and system |
CN115361222A (en) * | 2022-08-26 | 2022-11-18 | 杭州安司源科技有限公司 | Communication processing method, device and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8745394B1 (en) | Methods and systems for secure electronic communication | |
CN109088889B (en) | SSL encryption and decryption method, system and computer readable storage medium | |
US9917829B1 (en) | Method and apparatus for providing a conditional single sign on | |
US8538020B1 (en) | Hybrid client-server cryptography for network applications | |
US9330245B2 (en) | Cloud-based data backup and sync with secure local storage of access keys | |
US9852300B2 (en) | Secure audit logging | |
US11102191B2 (en) | Enabling single sign-on authentication for accessing protected network services | |
US11676133B2 (en) | Method and system for mobile cryptocurrency wallet connectivity | |
US9973481B1 (en) | Envelope-based encryption method | |
US8904195B1 (en) | Methods and systems for secure communications between client applications and secure elements in mobile devices | |
US9219722B2 (en) | Unclonable ID based chip-to-chip communication | |
US9621524B2 (en) | Cloud-based key management | |
US10007797B1 (en) | Transparent client-side cryptography for network applications | |
US20160373414A1 (en) | Handshake offload | |
US20140096213A1 (en) | Method and system for distributed credential usage for android based and other restricted environment devices | |
US11546321B2 (en) | Non-custodial tool for building decentralized computer applications | |
JP2019502286A (en) | Key exchange through partially trusted third parties | |
US10033703B1 (en) | Pluggable cipher suite negotiation | |
US10122689B2 (en) | Load balancing with handshake offload | |
US8583911B1 (en) | Network application encryption with server-side key management | |
US10257171B2 (en) | Server public key pinning by URL | |
US11005828B1 (en) | Securing data at rest | |
Dey et al. | Message digest as authentication entity for mobile cloud computing | |
Zmezm et al. | A Novel Scan2Pass Architecture for Enhancing Security towards E-Commerce | |
US11539671B1 (en) | Authentication scheme in a virtual private network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CITIBANK, N.A., NEW YORK Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RAHAT, SYED;BROWNING, WAYNE;SIGNING DATES FROM 20130819 TO 20130821;REEL/FRAME:031062/0143 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |